1 files changed, 55 insertions, 0 deletions

diff --git a/user/dmidecode/security1.patch b/user/dmidecode/security1.patch
new file mode 100644
index 000000000..da4bc9815
--- /dev/null
+++ b/user/dmidecode/security1.patch
@@ -0,0 +1,55 @@
+From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 1 Aug 2018 09:54:45 +0200
+Subject: dmidecode: Avoid OOB read on invalid entry point length
+
+Don't let the entry point checksum verification run beyond the end of
+the buffer holding it (32 bytes).
+
+This bug was discovered by Lionel Debroux using the AFL fuzzer and
+AddressSanitizer.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ dmidecode.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index fa6ecf1..474ca7b 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 	u32 ver;
+ 	u64 offset;
+ 
++	/* Don't let checksum run beyond the buffer */
++	if (buf[0x06] > 0x20)
++	{
++		fprintf(stderr,
++			"Entry point length too large (%u bytes, expected %u).\n",
++			(unsigned int)buf[0x06], 0x18U);
++		return 0;
++	}
++
+ 	if (!checksum(buf, buf[0x06]))
+ 		return 0;
+ 
+@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+ 	u16 ver;
+ 
++	/* Don't let checksum run beyond the buffer */
++	if (buf[0x05] > 0x20)
++	{
++		fprintf(stderr,
++			"Entry point length too large (%u bytes, expected %u).\n",
++			(unsigned int)buf[0x05], 0x1FU);
++		return 0;
++	}
++
+ 	if (!checksum(buf, buf[0x05])
+ 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
+ 	 || !checksum(buf + 0x10, 0x0F))
+-- 
+cgit v1.0-41-gc330
+